DPA Briefing for LGUs

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

tip number five use two-factor authentication two-factor authentication it adds an extra layer of security to make sure that ito access aside from entering your password is online factor authentication it's up to you there you go five simple and practical tips to make sure in a secure among online accounts navigate safely online stay safe from the virus and stay safe online bye guys [Music] hello everybody i am back for another video to share tips on how to stay safe online these past few months lagging to stay safe from the virus that is why in my last video i shared with you about the data privacy act secure and adding online accounts for this video i want to share with you five tips on how to navigate safely online tip number one email from an unknown source as much as possible or personal information so please always verify hindi legitimate email wedding it deleted tip number two make sure that my https is a browser address https is information and only authorized parties can view your personal data so the next time you visit any website first time among this exo website look for the s in https tip number three is always log out of browsers every time you access site on my sensitive information to lagnan online banking or online shopping near recommended you have to log out and much better than if you close the whole browser make sure to always log out and close your browsers tip number four do not click on pop-ups virus warning web developers or companies among pop-up ads the sad reality is online privacy at samoa security risks so a legit ad blocker will block agajima website naked fishing some malware scams even third-party trackers and remember before installing any software or apps in your gadget make sure and legit at secure and last tip number five don't share your authentication code or otp to anyone else website so as a rule do not share your otp with anyone else in the video i will share some sharing tips or tips for parents online to help you make sure that your family kids will stay safe on the internet and if you want to know about data privacy or even your rights you can visit the national privacy commission website stay safe from the virus and stay safe online bye [Music] e-modules cyber safety online behavior that you're safe and protected in the digital world all day and all night you're glued to your mobile phone locked up or tablet device internet internet friends work at [Music] [Music] [Music] schedule and set a limit to your internet use then you can spend more time with your family and friends see to your health exercise catch up on sleep or attend to unfinished tasks between the time we spend online and the time offline [Music] let's all work together in using the internet responsively bye [Music] foreign the password [Music] [Music] [Music] [Music] [Music] i met alice in san francisco in 2011. [Music] going below [Music] [Music] out [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] online [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] mobile devices [Music] but wait what two thousand dollars for that i know ayo [Music] isn't it too much for a single transaction i might get scammed remember for every transaction only give out the necessary personal information [Music] [Music] privacy [Music] let me check [Music] get access to my location [Music] okay an email address [Music] remember be careful in downloading and granting permission to mobile applications location mode [Music] is national privacy commission [Music] [Music] that could lead you to malware [Music] national privacy commission [Music] huh [Music] never use the same password on multiple accounts [Music] example is a national privacy commission can you do a research on this i need it by the end of the day okay boss so where should i start [Music] remember only visit safe and trustworthy websites when searching online [Music] is the national privacy commission [Music] the use of internet-based services has often been about enjoying new possibilities convenience and life enriching services as such we have overlooked the dangers that online carelessness may have on our privacy safety security and sense of trust it's time we gain the upper hand and take back control psst privacy safety security and trust online an advocacy of the national privacy commission to arm filipinos with the information and self-help tools to protect themselves and loved ones from dangers of careless use of personal data online a call out on the hazards of people's bad online habits and behaviors a friendly reminder to be a responsible filipina social media citizen safeguarding your privacy safety security and trust online all the time privacy [Music] would you believe profiling or direct marketing [Music] information mode know your rights best you have the right to be informed right to object right to access right to rectification right to erasure or blocking write the damages write the data portability right to file a complaint complaints at privacy.gov dot ph [Music] to visit www.privacy.gov dot ph [Music] in the aquatina miss universe the most significant change i've seen in the world in the past 10 years is the rise of information as the primal remover of policy and economies [Music] of [Music] anxious [Music] social security number passport information chairman and national privacy [Music] [Music] [Music] [Music] right [Music] do [Music] if it's too good to be true it probably is a victim and privacy more omg [Music] hi bmw papillon online partner with free gifts yes sir has been approved i need to verify your full name that is why privacy matters national protect privacy commission and human right to privacy filing and personal information [Music] [Music] [Music] [Music] [Music] go [Music] [Music] [Music] [Music] a specific superpose hindi waiting past purpose national privacy commission [Music] filipino [Music] [Music] [Music] but wait what two thousand dollars for that i know this is way cheaper right now isn't it too much for a single transaction i might get scammed remember for every transaction only give out the necessary personal information [Music] privacy [Music] elega let me check [Music] grant access to my location okay but email address be careful in downloading and granting permission to mobile applications la lin is a location model national privacy commission [Music] um [Music] latest episode that could lead you to malware [Music] national privacy commission [Music] foreign [Music] huh [Music] never use the same password on multiple accounts [Music] is a national privacy commission can you do a research on this i need it by the end of the day okay boss so where should i start [Music] remember only visit safe and trustworthy websites when searching online [Music] national privacy commission [Music] the use of internet-based services has often been about enjoying new possibilities convenience and life enriching services as such we have overlooked the dangers that online carelessness may have on our privacy safety security and sense of trust it's time we gain the upper hand and take back control psst privacy safety security and trust online an advocacy of the national privacy commission to arm filipinos with the information and self-help tools to protect themselves and loved ones from dangers of careless use of personal data online a call out on the hazards of people's bad online habits and behaviors a friendly reminder to be a responsible filipino social media citizen safeguarding your privacy safety security and trust online all the time um [Music] would is secure in a processing non-personal information mode know your rights best you have the right to be informed right to object right to access right to rectification right to erasure or blocking write the damages write the data portability right to file a complaint complaints at privacy.gov dot ph [Music] [Music] www.privacy.gov dot ph [Music] miss universe the most significant change i've seen in the world in the past 10 years is the rise of information as the primal remover [Music] foreign data protection officers administrator representatives from different lg us sabo on pilipinas um [Music] opening prayer [Music] my [Music] heavenly father we come into your presence in the name of jesus thank you for your mercies are new every morning as we take on a fresh beginning in this week filled with your promise let your presence be upon us please bless the works of our hands help us to be productive and bear fruit that remains we recognize that apart from you we can do nothing may the holy spirit guide and protect us in every step that we need to take and give us wisdom in every decision we need to make provide us with your supernatural joy and strength in the midst of adversity may we work with an attitude of gratitude take nothing for granted and live life to the fullest fill our hearts with your love so we can be a blessing to others as you are to us teach us your ways lord and help us fix our eyes on you alone let your keeping grace sustain us for the rest of the week this is our prayer in jesus name amen [Music] uh [Music] [Applause] [Music] uh [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] good morning once again okay so to formally start this event i would i would introduce the person who will deliver the opening remarks okay so she is the chief of the policy review division of the national privacy commission as well as the project head of the field dpo development program otherwise known as the dpoa certification program she graduated laude at the university of the philippines manila with a degree in ba political science and took up bachelor of laws at san beda university she represented the philippines in the asean-japan workshop on pii protection and related issues in july 2017 and served as a resource speaker on data privacy concerns in the asean digital trade workshop held last august 2019 she is also a certified information privacy manager and has been designated as the policy advisor for the government sector in the data privacy council ladies and gentlemen let us all welcome attorney vida sora bohar so good morning everyone and welcome uh dpa briefing and hello i am thank you so good morning and i am in our last month of the year hopefully what uh this has been the longest year so far and um and one of those is of course the processing of personal information lgus are one of the largest and one of the most important processors personal information information is at the tip of uh it's at the touch of your fingertips um online classes uh online um assistance applications and to make sure in the protected personal information brief um orientation or overview data privacy act topic then that involves the processing of personal information and you may explain my sensitive personal information new contact tracing apps one of the efforts but to hopefully bend the curve or flatten the curve is through contact racing and yonkota tracing involves um personal information or the processing of personal data so that but important the helium digitally for instance the use of apps diameter like lg used in the contact racing through those digital apps or through mobile apps um npc how to effectively um process personal information through whatever digital or manual means orientation and to start off uh i'll turn you over to uh the first speaker so familiar speaker nathan means show you mr claire martinez is a former id professor at national university a certified iso internal auditor a certified accreditor at philippine association of colleges and universities commission on accreditation and the certified lead auditor for information security management systems and he has served as a reader speaker on data privacy to various government agencies so on the bandamina point limited by lgu so some of those are include dep ed shed doh yeah the ict our mother agency i had dilg pnp and civil service commission among others so he is currently connected with uh npc's compliance and monitoring division as information technology officer two sharing assistant project head of the phil dpo development group program who manages the dpoa's training and certification program so without further ado let us welcome mr cleo martinez thank you authority vida for the introduction yeah by the way i'd like to uh uh thank um event nato next slide please okay so after this briefing you will know what the law is all about and how it will affect you okay next slide which is more important for you is it [Music] so there was a public school teacher nah nah receive no notification from three banks that he had borrowed a total of eight hundred thousand so but he denied applying for these loans no so indeed okay so the only thing he remembered was posting a photo of his uh prc id so because of his excitement he posted a photo of his id online social media data okay next slide please um examples okay number one breach so this happened so what happened here so there was a hacking incident and the hackers were able to get the copy of the database voters or maybe this is one of the reason why we are receiving unsolicited texts unsolicited email or even calls [Music] in applying for alone government issued ideas okay so next example so eternal uh breach happened because of a lag book visitor slack book [Music] so there was this person who was able to take a picture and he post as one of the stuff of the recruitment agency and he was able to solicit money from those listed so the visitors coming in and out but information your name number for example to protect the personal data okay next please okay uh next is um the list of top student sponsors students i [Music] so what is the remedy for this [Music] [Music] number four unsecured storage of patient records records so whether it's electronic or physical copy the patmeron protection okay so next part i online lending yeah i mean [Music] [Music] because they collect personal information so mostly telemarketers [Music] okay next [Music] [Music] security okay next piece another example disclose 19 and because of the unauthorized disclosure exposed and to some other authorized government agencies okay okay next piece okay um so these are the key terms that you must uh remember so individual whose personal information sensitive personal information or privileged information is being processed information foreign [Music] so it is any operation of any set of operations performed upon the personal data including but not limited to the collection recording organization storage updating or modification retrieval consultation etc disposal so from the collection disposal cycle okay online form that type ko so that is processing latian processing that in code case a computer and data that is processing scenario or distorts a usb drive that is processing processing processing on a distribute for example a photo happy kaio that is also okay next personal information controller okay it's a natural or judicial person or any other body who controls the processing of personal data or instructs another to process personal data on its behalf okay okay so the lgu itself european personal information controller but private personal information controller dimple okay there's a processing of personal data okay and it's usually represented okay so is the entity or the organization itself okay municipality young province huh okay so i know i see our personal information controller yeah okay information processor or pip for short okay so then on the juridical person uh or got natural okay to whom a personal information controller may outsource or instruct the processing of personal data okay example okay personal information processor okay so pedering uh young p i c okay uh company a p i c company b p i c c company b in outsource the company a so that [Music] should not make use of the personal information okay next data or an individual who will be accountable for ensuring the pic and pip's compliance with the dpa it's officer i lg memorandum circular 2018 and 36. each lgu should designate a dpo a component city municipality or barangay is allowed to designate a compliance officer for privacy which shall be under the supervision of the dpo of the province of such component city municipality or barangay a question okay sorry for that okay uh-huh so data protection officer ah okay next piece okay so personal data classification of personal data i personal data point classification adding personal data una personal information so it is any information from which the identity of the individual is apparent information okay so for example yes [Music] okay it can be also any information when put together with other information can reasonably and directly identify and individual so again for example birthday and address okay so aside from personal information sensitive personal information classification personal data information okay and a question no no what ah why do we have to distinguish personal information sensitive personal [Music] proceeding for any offense yeah in case government issued personal numbers such as sss gsis etc okay so it refers to a breach of security leading to the accidental or unlawful destruction loss alteration unauthorized disclosure access to personal data transmitted [Music] peace resulting from loss accidental unlawful destruction of personal data okay so example a physical form and personal date not so i'm looking unavailable you data okay an expo i integrity breach resulting from alteration of personal data [Music] resulting from unauthorized disclosure of personal data okay so confidentiality for example records okay another term eto i process data sharing disclosure are transferred to a third party of personal data under the control or custody of a personal information controller okay data sharing data for example still so the national privacy commission is composed of privacy commissioner raymond enriquez liboro and uh i think two deputy commissioners authority john henry do naga and attorney leandro angelo aguirre okay next please um presentation i think structure of ra101 73 identities in sections 11 to 21 rights of data subjects obligations of personal information controllers and processors okay and better think specific provisions for government government sections 22 and 24. now so the data privacy act of 2012 is the short title okay so it is an act of description and app protecting individual personal information in information and communication systems in the government and the private sector creating for this purpose the national privacy commission and for other purposes now your commission for me national privacy commission i 2016 point established okay and where is privacy in all of this so the law opposed the right to privacy by protecting individual personal information so the npc protects the information the personal information by regulating the processing of personal information okay it is a mandate of the npc to administer and implement the act to monitor and ensure compliance of the country with international standards set for the uh personal data protection okay so these are the functions of npc role making advisories public education like this compliance and monitoring so coming attention compliance checks or so next function is complaints and investigation and of course your complaint and investigation so we accept uh complaints and champion investigation and of course enforcement so the scope of the law it applies to all uh types of personal information in the country and even abroad but of course subject to certain qualifications now the personal information controls controllers may invoke the principle of privileged communication over privileged information that they lawfully control our process [Music] of alibaba between husband and wife or between lawyer and client or between a doctor and patient information with the is personal information and privileged information so if it's being same treatment involve unprivileged information penalty okay and now let's move on to the rise of the data subject as data subject [Music] to or the right to be informed inform the what so that the data subject must be aware of the nature extent and purpose of the processing of this information next so as data subjects you have the right to object to the processing so processing upon demand of the data subject okay pretty pushy question access to the processing of his personal data okay i'm reason puja i alimbawa to verify the legality of the processing okay again upon demand next the right to correct okay so data six right the damages so if you sustain any damage from the processing of your personal data next seven is right to data portability so this right is quite new even for some other jurisdiction but the concept of this is um by the way electronic form of data and concept the data subject may request for a copy of the personal data and it should be given by the pic in a home structured format readily usable by other organizations so you put your right to data portability and lastly the right to file a complaint so those are the rise of the data subjects okay next data privacy principles so the data subject must be aware of the nature purpose and extent of the processing of his or her personal data [Music] by the use of privacy notice privacy policy and consent okay let's start with privacy noti and privacy policy privacy notice kaya notice for the data subjects [Music] [Music] [Music] privacy policy uh [Music] [Music] [Music] [Music] i know freely given indi it must be specific and with informed indication of will [Applause] it must be evidenced by written electronic or recorded means so foreign and confirmation email or a voice recording oral confirmation among paul but take note okay opt-in silence protect boxes or inactivity does not constitute consent indeed and uh you implied concept independent implied consent okay uh important reminder if it's not clear it's not consent when i say clear it has to be visually clear malachi language should be in plain simple language independence no consent is just one criterion for lawful processing of both personal and sensitive personal information so it will not always be the most appropriate basis basis okay so the processing of information shall be compatible with the declared and specified purpose so that declared a specific purpose not contrary to law morals or public policy [Music] [Music] so aside from consent if the processing is required because of a law and regulation so pretty name the process regulation cohen demand concept ready to protect the life or because if the processing is needed i am to accomplish a contract or for a legal obligation or for public order and safety or because of legitimate interest legitimate interests test law and regulation protect life medical treatment court proceedings and legal claims uh subpoena okay a big guy or okay okay aside from that is [Music] for processing okay young lawful basis for processing okay next is proportionality the principle of proportionality so the processing of information shall be adequate relevant suitable necessary and not excessive in relation to the declared and specified purpose excessive proportionality on purpose next ok next so these are the obligations of a personal con information controller again lg use municipalities um component city union a personal information controller okay so the pic should collect personal information for specified and legitimate purpose determined and declared before so an illegitimate purpose pic should process personal information fairly and lawfully and in accordance with the rights of a data subject exercise you writes of data subject so that exercise next the pic should process accurate relevant and up-to-date personal information so ah young to verify the authenticity next the pic should collect and process personal information adequately and not excessively so it to your proportionality collect only what is needed for the purpose that has been declared so the more you collect next the pic should retain personal information only for as long as necessary for the fulfillment of the purpose for which the data was obtained as the government made in a tower national archives of the philippines okay so um international archives of the philippines uh sila puede guidelines for um electronic forum the pic must implement reasonable and appropriate organizational physical and technical measures intended for the protection of personal information okay john security measures so these security measures are intended and aim to maintain the confidentiality the integrity and availability no personal data accidental unlawful fraudulent or natural human dangers security measuring um privacy management program procedures guidelines organizational conduct and risk assessment yeah okay next physical security measure so this security measures refers to ion perimeter workstation storage so aside from that or password yeah okay office design oh design are you going infrastructure okay protected against fire and obama protections fire extinguishers ordinary fire extinguishers extinguishers [Music] okay now technical so this refers to security measures referring to ict infrastructure network computer systems okay so example installed a firewall standard meet and must be at least aes 256 aes 256. recommended for government recommended to use the or adopt the iso 27001 and 27002 uh controls framework so reasonable and appropriate so again iso 27 127 0002 control spray more yo recommended okay so these are the penalties one year to three years three years to six years matagal no [Music] processing the process improper disposal intentional bridge or concealing bridge a new concealing bridge requirements npc now you have your mandatory um reporting that you have to report a breach within 72 hours so of bridge malicious disclosure unauthorized disclosure our combination of acts [Music] okay number one commit to comply appoint a data protection officer random circular 201836 or compliance officer for privacy such as component city municipality or barangay and you know compliance of super privacy under shanang dpo the cop may perform some of the function some of the functions london dpo dp response uh responsible next data protection officer you should conduct no a privacy impact assessment know your risks yes it is a process used to evaluate you know to identify the risks possible risk the process and to determine the security measures protection measures on security measures [Music] next demonstrator compliance implement your privacy and data protection measures so home annual identifying measure security measures that but implementation and check implementation strict implementation in the paper compliance operational compliance and the last be prepared for breach regularly exercise your breach reporting procedure within 72 hours uh qualified for mandatory uh mandatory reporting david within 72 hours ma report chance npc annual security incident report the annual is [Music] [Music] i'm having website i privacy that goes that ph okay and to conclude we must adhere to the data privacy principles adhere sumo node was a transparency legitimate purpose and important most important of all we must uphold the rights of data subjects exercises if you can't protect it don't collect it okay so that's the end of my presentation and i thank you okay so reminder you may input your questions on the chat box [Music] okay now let's proceed with the next topic and with the next speaker let me introduce the next speaker okay so he is the lead lawyer of npc's compliance and monitoring division before working for the npc he was part of the education division of the country's anti-trust regulator the philippine competition commission where he penned several decisions and issuances on behalf of the said commission his expertise includes intellectual property rights as he spent his first year in the legal profession working for one of the most prominent intellectual property law firms in the philippines federice and associates law offices ladies and gentlemen let us all welcome attorney stephen duma [Music] hi uh good morning everyone so first of all no i would like to thank everyone for attending uh this session uh i know no hapag usually would think nah [Music] [Music] but despite uh this challenges you know i'm glad that we were able to overcome uh these and be present uh right now uh during this uh session and speaking of challenges no uh that's uh the same objective in responding and at this point of uh this session i will proceed with discussing the data privacy challenges in contact racing so while uh sir clayo uh was able to discuss information about data privacy rights as a data privacy act objective in the manhattan uh at this part of the discussion is to delve deeper no into a more relevant topic which is young contact using um some of you know me [Music] may find me familiar because coming post compliance and monitoring division we have been conducting uh multiple meetings with uh various local government unit representatives um precisely know about the contract raising uh initiatives and implementing lgu um at the outset um kamepo from the npc we recognize poll young integral role responder pandemic and we really appreciate it uh not only know as part of the government sector but as private individuals initiatives [Music] as part of our mandate uh i i think you would also understand it who you know sirs and moms whenever we reach out to different lg use objective namin is to ensure no in responding to the pandemic and conducting contact racing hindi nate nakakalimutano importance of complying with the provisions of the data privacy act um of course this is not to take anything away not doing the hard work uh nagina lgu like i said itapo i uh well appreciated is that among private individuals when for example providing their personal individuals to give you accurate information accurate personal information if we can ensure particularly in terms of personal data so first part no let's define contact tracing no uh so this is based on the official issue once of the department of health so contact racing it would include no young identification listing and follow-up of person uh who may have come in close contact with the confirmed kovit 19 case so young contact racing would uh as you may know would entail uh several uh steps you know uh from identification down to young intermediate steps and to possibly offer preventive care and at a macro perspective to understand young epidemiology of the disease so it only last nato is pertinent to the mandate of um the department of health now uh as you know yoga chasing my two broad categories private individuals through for example client and visitor contact recent form employees employee health declaration forum no foreign and understand that they must be informed of the purpose of personal data and other implications from uh going out in data collection for purposes of contact releasing personnel that would uh be involved in contact racing must [Music] them and the women safeguards you know they are quick to uh um to signify you know that involved saying personal data that involves a contact raising mda so important non-disclosure agreement i mean god forbid no name information for an authorized purpose uh you can you you have an added layer of protection or legal basis to go after this personnel important non-disclosure agreement next po is that the use of patient data should only be used should only be for purposes of policies and measures in response to the pandemic so later on uh releasing taking a step back and talking about data privacy at a macro level whenever we collect personal data um collecting personal information there may be uh multiple reasons for that big vaguely worded statement putting inadvertently well allow us not to clarify uh that or to correct that thinking at this point no nah well tayupo may have the best intentions you know for the use of personal data for example the collected information for contact racing even after 30 days the well those are good intentions no and also for the benefit of the people kapag hindi punati and nuclear from the point of collection informing the data subject or getting their consent so important the purpose of personal information limit unless if before using the information the same information we would again inform and collect the consent of the same personal uh of the same data subject so and upon importance because at the time when the data subject now provided their personal information was only on the basis of information and therefore [Music] limitation let's move on okay so transparency and proportionality security measures which in itself is a data privacy principle um as i already uh um discussed earlier you know believe another quick summary for the collection the use the sharing of uh the personal data legitimate purpose while we're doing it and that purpose must be declared and specified so privacy notice so transparency destroyed at some point if they destroy after how many days [Music] bluetooth the manpo no so basically this uh ensures in layman's terminal information indeed how do you actually observe proportionality it's the least privacy intrusive manner or kind of data [Music] so of course so if you really need for example excuse me the full name of the data subject then collect it uh it's better to have it and not need it than to need it than not have it information [Music] [Music] having these internal uh meetings with our uh task force you know for conduct racing um young next time security measures know of course um no organizational physical and technical uh measures in place and which would protect young personal information with the contact using let's move on to the next slide too big is an entire government initiative that's why uh for example uh staff and personnel along with other representatives of uh national agencies no national and in my ngas no wherein we try to come up with the most appropriate policies guidelines that would um perfectly capture the human respective mandates national privacy commission during this pandemic in addition um compliance and monitoring division for example we also reach out to different lg users going on the bangit go um [Music] on how to go about uh cover the response without no um without forgetting or uh taking for granted know your importance no uh data privacy so among young some of uh places and establishments for processing personal data for government in response guidelines or pandemic or not applicable [Music] initiative as long as this initiative would entail collection of personal information you know so for example measures in place collection through [Music] there are slight variations in approach when it comes to manual and digital but the principles are the same the privacy rates of the data subject must equally be protected in both modes of collection for example attendance records uh calendar of meetings humana client uh planetary visitor contact leasing forum employee health declaration form and human cctv footages um and more pertinent to the lg is young of course adopt 2020 uh 0 3 0. apart from these assurances like i've mentioned very should i say you know personal not non-personal but a very active young approach npc even lg you know like that wouldn't get every week we try to uh meet with as much uh as many lgu as possible you know to discuss young importance and data privacy and to look into their uh data processing systems for purposes of contact racing and allow us to know to use this uh opportunity you know [Music] while implementing or rolling out our contact racing apps measures in place to mitigate these risks security incident management plan and reflect reporting or notification that is a national privacy commission so let's move on to the next slide whenever we do for example compliance checks or whenever we coordinate with other government agencies or lgu's champion we note down no human challenges in data privacy uh now we think kailan puneting my solution and if only to ensure the protection of the data subjects and also the effectivity no you or the effectiveness rather no non-contact tracing mechanisms not in shape uniform contact using protocols transparency proportionality which are as earlier mentioned no generally the previous privacy principles uh security measures and documentation so allow us to uh discuss uh these challenges one by one so first is controllership next slide please so for controllership no i'm sure not discussing personal information controller but just to [Music] refresh you know our minds a personal information controller usually pic or controller or organization who takes charge over the data processing system so basically it'll primarily respond responsible for the data processing system from the point of collection to transfer in disposal so among the responsibilities or obligations of the pacs are the following so the pac must implement you know observe uh in general data privacy principles whenever no uh guinea game between data processing system uh mpic then you are responsible to implement reasonable and appropriate opt measures or young organizational physical and technical security measures intended for the protection of personal data cpi sirenpo uh the process would entail a sharing of data to a third party um for services now for kenyatta data for another [Music] step of the contact releasing cp ic then primarily responsible regardless if um the data is with the third parties primarily responsible and um during the early stages we have observed that there has been difficulty in determining for example or particular contact tracing process overlapping mandates or certain issues on resources lack of clarity arising from overlapping mandates but uh fortunately inaudible non-appropriate agencies and appropriate stakeholders not resolve them and partner through proper coordination so you i would understand that this is uh um not the not among the main issues [Applause] lgbt [Music] let's move on so another uh data privacy challenge encountering i mean is young lack of uniform protocol especially in the beginning of um um this response no um that would um erase from the fact that made two different kinds of contact racing manual and digital and understandably different young specifications man mostly manual and digital contact creasing mechanisms would go hand in hand my uh smartphone another uh source of young lack of uniform protocol multiple apps uh again i know um just to clarify you know this is not to take anything away you know from uh the best intentions laid down of course and nothing is you and whenever uh you come up you know with your own um contact racing app you know but uh nonetheless it's important knowing that we verbalize or we talk about impossible uh challenges from that kind of um policy where every lgu i may i ibang contact a application so in the context of contact tracing and i give raisin lack of uniform uh procedure for example is a data collection personal information not only for purposes of contact tracing but for building an identification system locality no again you know well these are rooted no from best intentions policy wise if young purpose it's itapo uh challenges no nah nagar is from having multiple apps written disposal policies so storage meaning s amazon web services personal information um different uh retention periods for example motionless doh guidelines for the quantitation data while other would need or would would state that they would retain the personal information for a longer period of time or sometimes in definite disposal [Music] after the period among the challenges that arise you know from having multiple apps uh i mean but these lack of uniform protocols can be resolved down by appropriate iatf assuances and guidance from the national privacy commission guidance in the form of for example then what we're having right now no human sessions and i'm briefing nato and uh with regards to iatf issuances no just to um just to update everyone uh may iatf issue once but in latest number eight resolution i think number eighty nah pinata integrate no other existing uh contact tracing app into the c stay safe app which is the official app now indoors by the iatf for purposes of contact racing so i would say these are uh the efforts of the iadf you know to minimize or mitigate the possible uh um issues that would erase from having multiple uh contact racing apps but uh it would all um cumberga be reconciled or it would come down to a centralized database let's move on okay so uh one uh another challenge but is young transparency and while amongst ourselves no we can transparency it means that the data subject must be made aware nature purpose and extent of the data processing including commanding risks and young safeguards involved no to address those risks it should also indicate your identity in mpic young rights now and as a data subject and compa anomaly exercising rights now for example 30 day retention period apparently uh due to for example inadvertence that attained 40 days [Music] for the benefit of the data subjects as process owners it's actually in in your best interest to be transparent in the data processing system you know to avoid young uh costs you know or delays or problems that would that may uh arise in the latter part of your system capacity transparent no [Music] this is the only way that i could i know protect my personal information because when i let their privacy notice process owners than pac no to be transparent and data processing when it comes to contact tracing and also with other data processing systems locality so this issue will be resolved by publishing the appropriate privacy notice with the appropriate contents so as mentioned no important no you don't privacy notice regardless of the establishment and um foreign next slide please purpose and lawful basis again we all know that we have lawful basis to conduct a conductor using but still we must uh um document it we must articulate it let the data subject know so purpose and awful basis manner of collection use of data constantly stored next slide please okay another generally the privacy principle i know but this time we'll zoom in contact racing so um we've had uh challenges as well in terms of um the pride the principle of proportionality um so young proportionality no uh uh uh it states that the processing should be adequate relevant suitable necessary and not excessive in relation to a declared and specified purpose of course indeed so personally there shall be process only if the purpose of the processing could not reasonably be fulfilled by other means it must be the least privacy intrusive a manner so union second point any other kind of processing that would entail less personal information would not do it a question purpose limitation then it means that another point is data minimization so um let's think of it this way now whenever we collect whenever we decide to collect personal information and very particular diano to each piece of back at complete name hindi bahayan if complete name including middle name in hindi middle name s um of course this may be resolved by the oh someone says necessary information and retention period so um establishments for processing or for analyzing your data you know for purposes of contact racing and case management so um no whenever we collect non-personal information we process personal information be it manual and uh or digital proportion to the purpose which there are a lot of projects or purposes that we may eventually think of while collecting personal information i think i'm meeting for another project again those are um good intentions rooted in um uh sound policy studies but again ho no hope i can do for contact tracing it's more appropriate another data processing system for specifically for that purpose processing systems next slide please okay so okay security measures no of course no hapagna del nana of course awful basis in transparency we privacy you know the style in place via manual or digital um meaning it's uh limited to the declared and specified purpose if we are collecting kind of information um next question add in a story sufficient security measures in place both organizational physical and technical measures for the protection of data by the way young specifications on organic organizational physical and technical nasa and phenomenon is ruined so maripova the contact raising uh procedures um requirement that would uh come about in unlikely event of breach you know so it may be resolved by adopting employing measures that will maintain young availability integrity confidentiality of personal data against any accidental or unlawful dis destruction alteration and disclosure so i'm a security measure spooner in prepared not only for the willful attacks no or malicious attacks then as much as possible of course uh we know that the human idea experts not you know the truth now well 100 percent uh secure system but having a system with no uh sufficient security measures is totally another matter you know so about id security that would come in handy for uh when we review no security security measures uh for contact tracing next slide please okay so uh mostly challenges [Music] no as much as possible even before we roll out the app and as we continuously uh use it or my privacy impact assessment so none usually by the way me publicly available information but just to uh provide a quick uh run through it would uh include first you know description system [Music] [Music] [Music] national privacy commission data privacy challenges uh encountering um this discussion um made uh the representatives of our lgu's uh more awareness on the importance of the data privacy when um conducting contact racing [Music] again this goes beyond merely regulatory or repertoire requirements this goes into uh the trust no no not in constituency sat in contact raising procedures and of course we all know that trust would um lead to young uh high degree of effectiveness and contract raising that in so it's important oh no no you know observe that in my general data privacy principles uh [Music] let's keep in mind these data privacy principles whenever we plan to adopt or implement any project that would entail collection and use of data of personal data from our concessions so i in that ends my presentation pop no thank you paul thank you very much attorney stephen and now uh we're ready to answer your question so members speakers but before that few announcements feedback you have to answer the feedback forum and email um certificate of participation okay uh so remember the panel are you ready uh tony stephen and a tour de vita for the first question okay let's go yes sir first question covered social media no copying a warrant of arrest by police officers and court employees by police officers and court employees technically national courts [Music] [Music] [Music] or um um in hiding fugitive in hiding uh considering the lawful processing or in the pursuance of legitimate interest so young okay thank you authority the next question um contrary to a few months back um with the fo i provide pco [Music] data privacy principles transparent lgu or young government agency my legitimate purpose request those information if you have any other concerns if you have any other questions or clarifications yeah circle yeah thank you tony the next question required puba every lgu to have dpo okay i would like to answer protection can communicate somehow processing systems now uh some pac so that at home a data protection officer about lg [Music] okay next question um what if the government uses a third-party service what are the rules regarding for the use of third-party systems and storage can an lgu use a third-party system that stores the information and does the processing okay [Music] provisions uh data privacy after dpa on outsourcing so inpu instance the dimension is circular hanina we're in um capacity for let's say processing young third parties or emerging resources to transfer some of the processing functions for instance in storage or transmittal then um to a third party so cloud service providers are examples of those as na mentions a question kanina anger um primarily my outsourcing agreement and then my provisions put in the holiday or may required provisions outsourcing agreement and um third party service provider napa patent um personal information or your processing of personal information um personal information so check out napoleon meredith on outsourcing okay next question is uh what kind of data breach should be reported to npc within 72 hours lecture topic so um definition you can check the uh check out in for circular 16-03 so the important data breach management so my definition personal data security incident which is the bigger aspect uh thousand personal data breaches attack which is a type of security incident and then thirdly mero is a punk personal data breach which is subject to mandatory notification so my three elements depend because it's a type of data if it's sensitive personal information or any other information that would enable identity fraud that was an uh mode of bridge post or obtain an unauthorized person and the acquisition will lead to a real risk of serious harm duns a data subject or subjects then yunyun reports npc within a period of 72 hours and for more information on that in the interest of time outline procedure of as well as content notifications circular 16-03 so padding so website and you can also um uh check out materials name and apart from the circular din materials put on on data breach as well as student data breach requiring mandatory notification okay thank you tony vida uh okay next question attention among data collected from google survey forms thank [Music] next question uh what are the basis in a ppo is the item in the planter position yeah i would like to answer qualification general qualification attorney duma would you like to answer so what are the basis in appointing a data protection officer qualifications in general qualifications um advisory in the impossible you can check out advisory 17-01 so my general qualifications put on um um knowledge on data the data privacy act or data protection um preferably somebody now policies and guidelines so lg use normally we recommend um depend is a type of lgo by the human city administrators or provincial administrators um somebody generally who is in the monitoring or overseeing function at least processing systems not my personal information and then so depth of knowledge and expertise so you answered thank you for the video hi uh can you can you guys hear me yes defense okay see when we if we're talking about yuma formal uh requirements so full-time or organic employee no icc dpo so but public or government sector uh can be a career or a point of possession so um um it's a formal then general qualifications of course may specialize knowledge and reliable in terms of um fulfilling uh the specific judicial uh under your issue on soheiland monitoring [Music] privacy impact assessments um and then sharing will be bringing an advice a pic on how to uh enforce you know or observe the rights of the data subject and of course implementing security incident management uh so these are young obligations now whenever we're looking for a dp or an alumni and govinyon of course apart from the formal uh minimum requirements that i just mentioned thank you okay thank you attorney stephen okay next question um [Music] basis but i am a lawful basis but i offer doing what they're doing so uh if there are issuances for example uh if contact ray circa among the obligations imposed upon you is young surveillance no obligations which is to you know precisely to go around to see uh i'm gonna go evaluate then you can do so provided that what the the the extent of data that you're collecting be it photo or other additional information it's also provided authority me authority mo to do it so again um just to step back uh we all know in a manpower on my lawful basis for contact listing but that doesn't uh um do away with our obligation to be particular about the um personal information that were collected or no authority issued in our favor whenever we do young contact these hypotheticals hypothetical scenarios basic principles of privacy no legitimate purpose transparency and proportionality so um keep in mind whenever we're collecting or processing personal information well uh thank you authorities question is it still possible to go after people who had done breach violations more than a year ago the answer is yes okay last question in the interest of time um and we'll send it to you to serve as your reference okay and uh now okay i would like to introduce the next speaker to give the closing remarks okay so the next speaker has a long-serving career as a public servant who has earned a well-deserved reputation as a strong leader and champion of good governance in the country she served his distinction as executive director of the local government academy the training arm of the bilg for over two decades while also working as the president of the local government training and research institute's philippine network she also concurrently served as regional director of dilg region 8 before taking on the challenge of a dilg assistant secretary and then under secretary shortly after she holds a master's degree in development management from the asian institute of institute of management in mahathir city in the bachelor of science in education from the university of san carlos cebu philippines she also received a scholarship to study conflict management and post conflict recovery at the university of new york in the united kingdom through the chevening senior fellowship program of the british council she is also the author of several publications including wealth in whose hands a case study on the devolution of health services in the philippines responding to the challenges of local governance an institution building strategy of the local government academy and other notable knowledge products produced by the lga ladies and gentlemen to deliver the closing remarks please welcome under secretary marvel c thank you for the very kind introduction i would like to begin by expressing the department's gratitude to the national privacy commission and all the staff behind npc and to the bureau of local government supervision of the dilg for making this virtual orientation possible thank you as well for the effort of each and every one of us primarily our local government officials and functionaries who are here with us today in safeguarding and guaranteeing the data privacy right of every filipino technology could be our closest friend when we conveniently give our personal information but it could also become our greatest enemy when the personal data that we gave was accessed or disclosed without our consent which will then lead to either identity theft or fraud or even black panel and damage to our reputation the existence of overnight and pandemic made our names and contact details widely available through providing this data the establishments that you are visiting for contact racing purposes but there is a need to balance collection of personal data and preservation of public health as public servants we are accountable to the filipino people and this is one way of carrying out our sworn duty to be in the front line of upholding the philippines compliance with the international standards set for data protection government cannot do this alone we need a whole of society approach in preserving the trust of the citizens that we continuously serve let the data privacy happen 2012 be our guiding line as we perform this duty let the lessons we learned today serve as our tool to fortify the right to privacy and data protection of the filipino people as we close this activity let us all ask ourselves why we have been here today and how we can contribute further on strengthening the protection of personal information in the country this is just the beginning beyond what we acquired today beyond what uh learnings we got today we need to use them translate them and into actions at the local government level as we engage with our respective publics thank you and let us all build a culture of privacy committed to excellence and ethics in public service [Music] [Music] thank you oh you

Info

Channel: National Privacy Commission

Views: 696

Rating: 5 out of 5

Keywords:

Id: 3whIAJRgt3I

Channel Id: undefined

Length: 226min 32sec (13592 seconds)

Published: Thu Dec 03 2020